United States Patent [19] 

Lee et al. 



[ii] 

[45] 



111 

US006167522A 

Patent Number: 6,167,522 

Date of Patent: *Dec 26, 2000 



[54] METHOD AND APPARATUS FOR 

PROVIDING SECURITY FOR SERVERS 
EXECUTING APPLICATION PROGRAMS 
RECEIVED VIA A NETWORK 

[75] Inventors: Jong Y. Lee, Mountain View; Satish K. 

Dharmaraj, Santa Clara, both of Calif. 

[73] Assignee: Sun Microsystems, Inc., Mountain 
View, Calif. 

[ * ] Notice: This patent issued on a continued pros- 
ecution application filed under 37 CFR 
1.53(d), and is subject to the twenty year 
patent term provisions of 35 U.S.C. 
154(a)(2). 

[21] Appl. No.: 08/829,990 
[22] Filed: Apr. 1, 1997 

[51] Int. CI. 7 G06F 12/14 

[52] U.S. CI 713/201; 713/165 

[58] Field of Search 395/187.01, 186; 

380/4; 713/200, 201, 164, 165, 166, 180, 
181; 705/51, 59 

[56] References Cited 

U.S. PATENT DOCUMENTS 

5,421,006 5/1995 Jablon et al 395/575 

5,692,047 11/1997 McManis 380/4 



5,720,033 2/1998 Deo 395/186 

5,825,877 10/1998 Dan et al 705/54 

5,892,904 4/1999 Atkinson et al 713/201 

5,928,323 7/1999 Gosling et al 709/203 

5,958,051 9/1999 Renaud et al 713/200 

FOREIGN PATENT DOCUMENTS 

0 409 397 A2 6/1990 European Pat. Off. . 

0 409 397 A3 6/1990 European PaL Off. . 

0 570 123 Al 4/1993 European PaL Off. . 

0 580 350 Al 7/1993 European Pat. Off. . 

OTHER PUBLICATIONS 

Glenn Krasner, "The Smalltalk--80 Virtual Machine", Learn- 
ing Research Group, Byte Publication Inc., Aug. 1981, pp. 
300-320. 

Primary Examiner — Ly V. Hua 

Assistant Examiner — Christopher Revak 

Attorney, Agent, or Firm— Blakely, Sokoloff, Taylor & 

Zafman 

[57] ABSTRACT 

A method and apparatus for providing security to a server 
running an application program received over a network is 
provided. The application program, along with a source 
identifier is received from a source computer. Access privi- 
leges to server resources are granted based on the source 
identifier. The application program is loaded into a 
predetermined, bounded region of memory. 
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METHOD AND APPARATUS FOR Another unique feature of Java is the servlet, which is a 

PROVIDING SECURITY FOR SERVERS program, likean applet, however, a servlet runs on the Web 

EXECUTING APPLICATION PROGRAMS s erver "rather than the Web. b rowser. Ser ylets are typically 

RECEIVED VIA A NETWORK larger than applets and/or require more resourc es. For 

5 example, a servlet may be a search program offered by a 

FIELD OF THE INVENTION partiadar_seryer. A user accesses the servlet by ^ applying 

The present invention relates to network computing, and seajc^parameters. The servlet then executes a search of 

more specifically, to providing security for servers that resources available to the server. Thus, a user may have 

receive applications programs via a network. access t0 certain s^er resources and the server may have its 

10 search software up dalfifiLby a third party without any effort 

BACKGROUND OF THE INVENTION by th e server admim^tratot = 

Currently, the largest computer network in existence is the ^Becauseservlets may require access to server resources, 

Internet, which is a worldwide interconnection of computer the all-or-nothing approach is inefficient. In order to provide 

networks that communicate using a common protocol. The a secure all-or-nothing scheme in a server that loads servlets, 

Internet grew out of work funded in the 1960s by the United 35 a standard subset of resources would be offered to all 

States Department of Defense's Advanced Research servlets. However, different servlets require different 

Projects Agency (ARPA). Millions of computers, from low resources and different servlet sources may be worthy of 

end personal computers to high-end super computers are different levels of trust. Thus, prior security schemes do not 

connected to the Internet. For many years, few outside of the provide a flexible, yet secure, environment for providing 

academic/research community accessed the Internet. 20 serylets on a server. Therefore, it would be desirable to 

In 1989, a new type of information system known as the provide security 'to Web servers from potentially hostile 

World-Wide Web (the Web) was introduced to the Internet. programs, wherein permissions to^access the.resources.of the 

Early development of the Web took place at CERN, the server are granted based on the source of the program. 

European Particle Physics Laboratory. The Web is a wide- As the Web grows, it would be desirable to provide 

area hypermedia information retrieval system. 25 greater access to the resources and features of the Web. 

At that time, architecture of the Web typically followed a Thus, many controllers of Web servers may wish to provide 

conventional client-server model. The terms "client" and access lq,ser^ts^de^elqped by Uhird parties. Therefore, it 

"server" are used to refer to a computer's general role as a wo uloHjeliel^f^ secunt'y ib"Web serve rs from 

requester of data (the client) or provider of data (the server). potentially hostile servlets, whereirTaccess tolhe resources 

In the Web environment, Web browsers, such as Mosaic, of the server are allocated based on the source of a particular 

reside in clients and Web documents reside in servers. Web servlet. 
clients and Web servers communicate using a protocol called 

"HyperText Transfer Protocol" (HTTP). A browser opens a SUMMARY OF THE INVENTION 

connection to a server and initiates a request for a document. 3J A m ethod and apparatus for providing security for a 

The server delivers the requested document, typically in the sc[veT executm g programs received bv.the server via a 

form of a text document coded in a standard HyperText net work is^di sdosed. An application program that is to be 

Markup Language (HTML) format. provided by a Web server along with a source identifier is 

Programs written in the Java™ language, developed by received' by the Web server via a network, such as the 

Sun Microsystems of Mountain View, Calif.; are architecture 40 Internet. Before loading the application program, the server 

neutral such that the programs run on any platform that perfo rms^ye rification proced ure including granting_access 

supports Java. The programs are architecture neutral pri vileges based on^th&jmiri^ i denufi Access privileges 

because they are compiled into a series of byte-codes that are a je^granted^ r w jtbiieid -foJL a_ plurality of resource s available 

not hardware specific and thus can be downloaded and to t he serve r. If an application program is received from a 

executed on many different computers. Byte-codes are trans- 45 k nown hosti le source or no access privileges are granted, the 

mined over the Internet and then translated and executed by applications program may be rejected. Thus, the resources 

the receiving computer. defining the applicatiotLprograml sjiniverse^or s andbox, is 

One uniqueieature of Ja^aj^pjro^ided by Web browsers determined individually hasqd nn source identifiers, 
that do not support Jaya7is^o.ability„to"pr^de^ applets'as 

pag^ faWeb page. Applets are part of a Web page, but they 50 BRIEF DESCRIPTION OF THE DRAWINGS 

are downloaded, and executed by the c omputer run ning a present invention is illustrated by way of example, 

W eb browser rath er^jhanjl^N^bjgrver. Thus, a user, with and not by way of imitation, in the figures of the accom- 

a browser that supports Java, accessesj_V^b_page and panying drawings and in which like reference numerals refer 

downloads a .small Piograjrj.maUs,ejceqiiedJpcally. This, tQ similar elements aod m which: 

how^px^^rss^^ tradi- 55 ^ Qne embodiment of a network that be ^ 

tional client-server model. , .... 

* -. , . ...... to practice the present invention. 

To provide security, Java methods and variables are m „ „ . , , , 

accessed bv nameand are exe cuted in a restricted en viron- . FIG ; 2 15 a block dia 8 ram for Pacing the present 

me nt that includes a predetermined portion of memory. invention. 

Furthermore, when byte-codes are received they are sub- 6 o FIG - 3 * a flow dia S ram of one embodiment of verifying 

jected to a verification process that determines whether the a servlet and allocating resources to the servlet based on the 

byte- codes~have been mo dified, source of the servlet according to the present invention. 

Security for applets may be provided in a straightforward DETAILED DESCRIPTION 
all-or-nothing manner. For example, the applet is loaded and 

executed, n r it is np| JnaricH a nd p.ye.nnted Because the 65 A method and apparatus for providing security to servers 

applet is self-contained , it does not access local-resources running applications programs based on the source of the 

ot her than a designated, bounded remon of rrjcrrTorv^ application program is described. In the following 
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description, for the purposes of explanation, numerous spe- 
cific details are set forth in order to provide a thorough 
understanding of the present invention. It will be apparent, 
however, to one skilled in the art that the present invention 
may be practiced without these specific details. In other 
instances, well-known structures and devices are shown in 
block diagram form in order to avoid unnecessarily obscur- 
ing the present invention. 

An application program that is to be provided by a Web 
server along with a source identifier is received by the Web 
server via a network, such as, the Internet. The source 
identifier functions as an indication of sponsorship. The 
entity sponsoring, or vouching for, the reliability of the 
application program signs the application program. Thus, 



10 



A digital signature, which may include a digital 
certificate, represented by 208, is then appended to byte- 
codes 206. This digital signature acts as a source identifier. 
According to one embodiment, the digital certificate is an 
X.5Q9„certificate, as well known to those of ordinary skill in 
the art. However, other source identifiers may also be used. 
The source identifier must provide a secure and unique 
identification of the signer_such that the administrator of the 
receiving web server may trust the source identifier to 
authenticate the source of the servlet. For simplicity, source 
computer 200 is also the signing entity, however, this is not 
necessarily always the case. A computer other than source 
computer 200 may be a sponsor a nd » add a di g jtal"si gna hire 
to the set " 

TheVhyte-codssi&re sent to a designated server via t he 



the level of trust afforded the signing entity is granted to is ir^n^Off, . DT^erjoetwwk. The receiving computer, such 

onn1if»atiYmc nrnoramc cianp.H hv that pntitv " _ nM. ■* e><\ _^ "'' IT* t l . j._ 



applications programs signed by that entity. 

Before loading the application program, the server per- 
forms ^ verification procedure including granting acce ss 
privile ges based on the source identifi er. Access privileges 
ar e granted orwithheldfor reso urces^availablejQ^the server. 
If an _applicario^grofflam is received ^from ajraown.bostile 
sour cj^or"7f no_acc _s^rjnyileges are granted,jthe applica- 
tions program may be rej ected. Thus, the'resources defining 
the appfiaffio^f^ sanllboxHtfeTefer- 
mined indivi dually based on source identifi ers. 

FIG. 1 is one embodiment of a network that may be used 
to practice the present invention. Internet 100 connects a 
plurality of hosts, such as hosts 120, 122, 124 and 126 to 
Web server 150. The hosts may als o ac t as Web servers to 
prov ide file s_Qr_r.esQur.ces to ot her ho sts. Alternatively, 
Internet^ 100 m a y_ be. a locd are a netwo rk^(LAN) or other 
network that connects_a_plura^ together. 

Accor ding to th e p resent invention, a host may send a 
program, such as a~servlet, to Web^s^eTl'SOrWhen Web 
server 150 receives a servlet and a source identifier from a 
source computer, the source of the servlet is checked to 
determine the access privileges available to the servlet. It is 
important to note that sourpe^idenjlifiers indicajejrtie, entity 



20 
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30 



35 



as ^bsS&j^er thafcteceives the byte-codes executes a 
verification process CS23ferifififl tj Qn c om prises examinin g 
theso urce identifier, such as digital signature 208, to a l ocal 
list r oL k nown J ru stecLs ource s^and g r anting resource j 3 ri v i - 
Jeges based oi^thatj s^ rcej^ Additionally, the veri- 
ficatior rprocess mcludeT^olher^verification techniques to 
dejer mine^wMtherJ h^^ havejbeen mo dified or if 

fr* 6 ^^^^.^^— l ffi c ^:^ one 
enjbodjmen^^ 

Web ser^ erJL50 that stores trusteS sources ancHrjeprivileges 
extended to servlets receiyedfrom those sources. Resource 
privjriegt^^ to 
w nte"liles on__the server 's ^ffslT'S e'rwor^read and w rite 
p rivileg e s, executio n r^vSegprsvs te m p roperty acces s, and 
socket liste n oiLc^n ect^pri yjle^ s^ Other privileges may 
alscfbe granted. Any combuiat^n of one or more of these 
ac^ess |^ p^n ^ 

Once the byte -codes have been verified, they are trans- 
lated into servlets configured to run on the architecture of 
Web server 150. The servlet is then loaded into the servlet's 
sandbox (i.e., a known, bounded area in memory and 
granted access only to those specific resources listed in the 



ACL). Once the servlet is loaded in Web server 150, Web 
that sponsors .or vouches for the .reUab>ility_of the servlet, not ^ browser 170 may access the servlet and any resources 



50 



th e^urcff _computer^from__which,,the j^jyleLis^ received. 
Thus, a servlet may be signedjby_a_parjdcu^ 
distributed byjnany^othe r.computers,that.ma v_or.mav not be 
associated withthe siggingentitv. Web server 150 may reject 
a servlet from an unknown or known.hostile source, or Web 45 
server 150 may accept and load a servlel and grant access to 
serYer_resources^based £ ,on^the -source identifier. Once the 
servlet is loaded by Web server 150, it may be accessed by 
a Web browser running on a host connected to Web server 
150. 

FIG. 2 is one embodiment of a source computer coupled 
to a Web server via the Internet according to the present 
invention. The steps for providing security in the server 
according to one embodiment are shown as blocks in the 
computer that performs that step. 55 

An application program, such as a servlet, may be devel- 
opedon a computer other tharj ^e one^o^njyhichjtj s to be 
offered over a network. A ser vlet is written in serv let code, 
shown by 202. According to one embodiment, jji_4crvlet is 
developed in a Java environment, however, a servlet or other 60 
program may be developed in a non-Java environment. The 
servlet code is compiled, at 204, into a plurality of byte 
codes, shown by 206. Byte-codes are similar to machine 
instructions, however, they are not machine specific. Byte- 
length codes are used in one embodiment of the present 65 
invention, however, other cgjje_>Lze^may also be used. It is 
important to note that .allj3Lthe.cp.des are the same size. 



available to the servlet. Thus, resource privileges are granted 
on a servlet-by-servlet basis, which increases the flexibility 
of a Web server's security. This improved flexibility allows 
administrators to grant more privileges to known and trusted 
sources, while granting fewer privileges to new or unknown 
sources. By eliminating an all-or-nothing security approach, 
the web may offer more resources in a more convenient 
manner. 

FIG. 3 is a flow diagram of one embodiment of verifying 
a servlet and allocating resources to the servlet based on the 
source of the servlet according to the present invention. In 
step 300, a Web server receives a servlet or other application 
program via a network, such as the Internet. 

In step 310 the local ACL is checked to determine what, 
if any, privileges are to be granted to the servlet based on the 
source identifier received with the servlet. The ACL may 
contain an entry for unsigned servlets to grant a specified 
level of access to all unsigned servlets. Alternatively, the 
Web server may reject all unsigned servlets along with 
servlets received from a source known to be hostile. 

If no access privileges are granted in step 320, the servlet 
is rejected or not loaded in step 330. If the servlet is granted 
access privileges in step 320, a sandbox is defined for the 
servlet in step 340. A sandbox defines the set of access 
privileges granted to the servlet. 

In step 350, the servlet is loaded by Web server 150. In 
addition to limitations imposed on a servlet by the sandbox 
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to which it is assigned, other checks may be performed. For 
example, accesses to certain resources may be monitored by 
the server to guard against hostile behavior. 

Thus, by providing identity-based access controls, a Web 
server can control which servlets have access to which data. 
This arrangement provides protection against theft or alter- 
ation of data. In addition, by restricting a servlet to a 
sandbox, the Web server can control the damage that mali- 
cious code can cause. 

In the foregoing specification, the invention has been 
described with reference to specific embodiments thereof. It 
will, however, be evident that various modifications and 
changes may be made thereto without departing from the 
broader spirit and scope of the invention. The specification 
and drawings are, accordingly, to be regarded in an illus- 
trative rather than a restrictive sense. 

What is claimed is: 

1. A method comprising: 

receiving a servlet from a source computer, wherein the 
servlet has an associated source identifier that uniquely 
identifies a sponsor of the servlet in a secure manner; 
and 

granting one or more access privileges to resources to be 
provided by a server to the servlet, wherein the access 
privileges are individually determined for each 
resource based, at least in part, on the source identifier. 

2. The method of claim 1, wherein the source identifier is 
a digital signature. 

3. The method of claim 1, wherein determining resources 
to be provided for use by the application program based on 
the source identifier comprises checking an access control 
list (ACL) to determine the resources available to the servlet 
based on the source identifier, 

4. The method of claim 1, wherein the access privileges 
comprise one or more of: 

server disk read privileges; 
server disk write privileges; 
server network read privileges; and 
server network write privileges. 

5. The method of claim 1, wherein the access privileges 
comprise one or more of: 

execution privileges; 
system property access privileges; 
socket connect privileges; and 
socket listen privileges. 

6. The method of claim 1, wherein the source identifier 
identifies the source computer. 

7. The method of claim 1, wherein the source identifier 
identifies a computer that is not the source computer. 

8. A method for providing a servlet for execution on a 
remote server, wherein the server allocates local resource 
access based on a source of the servlet, the method com- 
prising: 

generating the servlet; 

compiling the servlet into a plurality of predetermined 
length codes; 

generating a source identifier; 

associating the source identifier with the codes; and 

sending the codes and the source identifier to a server, 
wherein the server verifies the codes and allocates 
access privileges to local resources based on the source 
identifier, the access privileges are individually deter- 
mined for each resource based, at least in part on the 
source identifier, her wherein the server generates the 
servlet based on the codes received. 
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9. The method of claim 8, wherein the source identifier 
comprises a digital signature. 

10. The method of claim 8, wherein the plurality of 
predetermined length codes comprises a plurality of byte- 

5 length codes. 

11. The method of claim 8, wherein the access privileges 
comprise one or more of: 

server disk read privileges; 
server disk write privileges; 
server network read privileges; and 
server network write privileges. 

12. The method of claim 8, wherein the access privileges 
comprise one or more of: 

is execution privileges; 

system property access privileges, 

socket connect privileges; and 

socket listen privileges. 
2Q 13. The method of claim 8, wherein the source identifier 
identifies the source computer. 

14. The method of claim 8, wherein the source identifier 
identifies a computer that is not the source computer. 

15. An apparatus for loading a servlet received from a 
25 source computer for use on a server, the apparatus compris- 
ing: 

means for receiving the servlet from a source computer, 
wherein the servlet has associated with it a source 
identifier that uniquely identifies a sponsor of the 
30 servlet in a secure manner; 

granting one or more access privileges to resources to be 
provided by the server to the servlet, wherein the access 
privileges are individually determined for each 
resource based, at least in part, on the source identifier. 
35 16. The apparatus of claim 15 wherein the source iden- 
tifier comprises a digital signature. 

17. The apparatus of claim 16, wherein the means for 
determining resources accessible by the server comprises an 
access control list (ACL) maintained on the server. 
40 18. A machine readable medium having stored thereon 
data representing sequences of instructions, which when 
executed by a processor, cause the processor to: 

receive a servlet from a source computer, wherein the 
servlet has associated with it a source identifier that 
45 uniquely identifies a sponsor of the servlet in a secure 
manner; 

grant one or more access privileges to resources to be 
provided by the server to the servlet, wherein the access 
privileges are individually determined for each 
50 resource based, at least in part, on the source identifier. 

19. The machine readable medium of claim 18, wherein 
the source identifier comprises a digital signature. 

20. The machine readable medium of claim 18, wherein 
the sequence of instructions that cause the processor to 

55 determine resources accessible by the server to be provided 
for use by the servlet based on the source identifier further 
comprises sequences of instructions that cause the processor 
to check an access control list (ACL) to determine the 
resources available to the servlet based on the source iden- 

60 tificr * 

21. The machine readable medium of claim 18, wherein 
the access privileges comprise one or more of: 

server disk read privileges; 
65 server disk write privileges; 

server network read privileges; and 
server network write privileges. 
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22. The machine readable medium of claim 18, wherein socket connect privileges; and 

the access privileges comprise one or more of: socket listen privileges, 
execution privileges; 

system property access privileges; * * * ' 
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